Originally published May 2011

The use of cloud services is inevitable, especially as more and more organisations look for ways to cut costs and improve efficiencies. A careful and comprehensive technical and legal due diligence of cloud providers and their offerings is recommended to mitigate the risks inherent in the use of cloud services.

Cloud computing is not new, but businesses in South Africa have only recently started to consider cloud based services. As with any new method for providing of technology services, customers are wary to use this method until they fully understand its application and risks.

So, what is cloud computing?

In essence, cloud computing is not new technology, but rather a new way of delivering computing services "on demand" whereby users can turn the services on and off, and scale up or down, depending on need. Without knowing it, many people may already be using cloud services. For example, Gmail or Google Apps are virtual services i.e. services that are hosted in the cloud.

Benefits and risks

The numerous benefits of using cloud services, such as cost-effectiveness, scalability and resilience, are recognised. Yet many organisations are still cautious about cloud computing, the main concerns being around security, data privacy, loss of control over critical business functions and data, and service interruption.

Another concern is that in South Africa, there are currently no guidelines, codes of conduct or standards for cloud computing. Internationally, there are a myriad of organisations who have issued guidelines and codes of conduct, from where guidance can be taken. Examples include the Cloud Industry Forum (www.cloudindustryforum.org), Cloud Security Alliance (www.cloudsecurityalliance.org) and the European Network and Information Security Agency (www.enisa.europa.eu).

The selection of a cloud provider and any subsequent contract that is concluded must be approached in the same way that other technology-related decisions are made by an organisation. With most public cloud offerings, contracts are not negotiable and so the focus should be on contract / provider evaluation. A careful process of assessment of the various cloud providers, including their security, privacy and redundancy policies and service level agreements must be undertaken.

Security

Security is one of the most critical issues, especially where one is using the cloud for business critical services and sensitive and personal data is put into the cloud.

At a minimum, before selecting a cloud provider, one should conduct an audit of the cloud provider's security policies and processes so as to understand both the logical and physical security processes. Any process must be such that the security and integrity of personal data held in the cloud is maintained. If a cloud provider will not allow an audit, a report regarding the cloud provider's security processes and procedures by an independent auditor should be requested. Also consider what certifications (if any) the provider has.

Also ask whether the cloud provider has experienced any security breaches and if yes, full details of such breaches must be provided as well as what the cloud provider is doing to avoid further breaches.

Privacy and the impact of the PPI Bill

Data protection and privacy are the most commonly presented risks when considering placing sensitive and personal data in the cloud.

A cloud provider should have a comprehensive privacy policy setting out how it deals with personal information. Many jurisdictions have legislation aimed at protecting personal information and impose obligations on "data processors" or "data controllers" around protection of personal information under their control. The most notable example is the UK Data Protection Act. Cloud providers situate in the UK must adhere to this legislation which imposes obligations around the manner in which personal and sensitive data is used, and how such data can be transmitted.

South Africa currently does not have such legislation although this has been in the pipeline for many years in the form of the Protection of Personal Information Bill B9 of 2009 (as read with proposed amendments per the Working Draft issued on 24 February 2011) (PPI Bill). Its promulgation is imminent. Although still a Bill, certain provisions of the PPI Bill will be relevant for both local cloud providers and organisations who are considering using cloud services, whether locally or offshore.

In terms of the PPI Bill any person who in any way processes personal information of third parties (defined as "responsible parties" in the PPI Bill) and any person who, as part of their business operations, processes personal information on behalf of third parties in terms of a contract or mandate (defined as an "operator" in terms of the PPI Bill), will be bound by the PPI Bill. "Processing" is widely defined and includes any operation (including by automatic means) concerning personal information, including collection, storage, use, dissemination by means of transmission and distribution.

For example, Principle 2 of the Eight Information Protection Principles which form the core of the PPI Bill requires that subject to certain exemptions, the consent of the person to whom the personal information relates (defined as "data subject" in the PPI Bill) is required for the purposes of processing. Thus before personal information is transferred to a cloud, the responsible party must establish whether the consent of the data subject is required for such transfer.

In terms of Principle 7 (Security Safeguards), the responsible party (i.e. the cloud customer) is obliged to secure the integrity of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information and unlawful access to or processing of personal information.

In order to give effect to this, the responsible party must take reasonable measures to:

  • identify all reasonably foreseeable internal and external threats to personal information in its possession or under its control;
  • establish and maintain appropriate safeguards against the risks identified;
  • regularly verify that the safeguards are effectively implemented; and
  • ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

In addition, the responsible party must ensure that the operator (i.e. the cloud provider) establishes and maintains the security measures set out above.

Cloud providers in turn must, subject to certain exemptions in the PPI Bill, process personal information only with the knowledge or authorisation of the responsible party and treat personal information which comes to its knowledge as confidential. Further the processing by a cloud provider on behalf of a responsible party must be governed by a written agreement, such agreement to include an obligation on the cloud provider to establish and maintain confidentiality and security measures to ensure the integrity of the personal information.

In light of the above, a responsible party will need to consider whether the security and privacy policies and procedures of a cloud provider are such that the responsible party in transferring personal data to such cloud provider, is able to comply with the obligations imposed on it in terms of the PPI Bill.

Additional considerations

Service interruptions and outages

There have recently been a number of highly publicised outages of cloud providers, a notable example being the interruption to service of users of Amazon's Elastic Compute Cloud. In this regard, it is important to consider the service level agreement of the cloud provider to understand guarantees around availability, response and resolution times. Not all clouds are equipped for all purposes and when assessing cloud offerings, an organisation's service requirements must be assessed against service levels offered.

Cross border data flow

Where the cloud provider is an offshore entity, the transfer of services may involve transferring personal data offshore. In this regard, an important consideration would be whether the jurisdiction in which the cloud provider is situate has laws that protect personal information. Certain cloud providers now provide customers with the option to request that data not be transferred outside the jurisdiction in which it was originally placed, unless the jurisdiction has in place the same or substantially similar levels of data protection and security as the first jurisdiction.

The PPI Bill will impact on cross border data flows when it becomes law. Section 69 of the PPI Bill prohibits the transfer of personal information about a data subject to a foreign entity unless for example the recipient of the information (the offshore cloud provider) is subject to a law or agreement which effectively upholds principles for reasonable processing of information which are substantially similar to the information protection principles set out in the PPI Bill or the data subject consents to the transfer.

Termination and termination support

Another important consideration when choosing a cloud provider is what happens when the arrangement with the cloud provider terminates? Does the cloud provider offer any termination assistance around the return of data? Given that currently there are no standard data formats or procedures for data portability, the manner and format in which data will be returned must be understood and agreed upfront.

Conclusion

The use of cloud services is inevitable, especially as more and more organisations are looking for ways to cut costs and improve efficiencies. A careful and comprehensive technical and legal due diligence of cloud providers and their offerings will go a long way in mitigating the risks inherent in the use of cloud services.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.